Second-hand electronics retailer CeX said on Tuesday (29 August) it suffered a massive “online security breach” compromising the personal data and passwords of up to two million customers. The UK retailer said customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack that saw “an unauthorised third party” illegally access its computer systems.

Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a “small number of instances.” CeX said any payment card data that may have been stolen in the attack “has long since expired” since they stopped storing financial data in 2009.

“No further financial information has been shared,” CeX said in a statement, noting that there is currently no indication that in-store personal membership information has been compromised.

Founded in London in 1992, CeX currently has stores across the UK, US, India, Spain, Ireland, Portugal, Netherlands, Mexico, Poland, Australia and Canarias.

CeX said it was working with relevant authorities and law enforcement with their investigation of the cyberattack.
The firm did not specify when and how the attack took place or details about the possible perpetrators of the attack. Since investigations are ongoing, the company said it could not share additional details regarding the breach.

CeX also runs the WeBuy.com website, one of the largest online marketplaces for buying and selling used electronics, games and gadgets. The firm has advised customers to change their WeBuy website password “as a precautionary measure”. Customers that use the same password across other websites and services should change their passwords as well.

“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services”, CeX said. “As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.”

The company added that users that do not receive a notification email were not affected in the breach.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CEX said.

“Clearly, however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”